CVE-2026-54497
Received Received - Intake

Stored ViewComponent State Leak in Ruby on Rails

Vulnerability report for CVE-2026-54497, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 4.0.0 until 4.12.0, ViewComponent::Base instances retain render-scoped objects across calls to render_in; if the same component, collection, or spacer component instance is reused across requests, users, tenants, or threads, later renders can use stale helpers, controller, request, view_flow, format/variant details, and slot child context from an earlier render. This can cause authorization-aware components to render privileged UI for a lower-privileged user, generate links using a stale Host header, leak slot/helper state, and mix request context under concurrent rendering. This issue is fixed in version 4.12.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
github view_component From 4.0.0 (inc) to 4.12.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-668 The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
CWE-488 The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the view_component framework in Ruby on Rails. It allows ViewComponent::Base instances to retain render-scoped objects across multiple render calls. If the same component instance is reused across different requests, users, or threads, later renders may use stale data like helpers, controller details, or authorization context. This can lead to unauthorized UI rendering, stale Host header usage, or state leaks.

Detection Guidance

Detecting this vulnerability requires checking if your Ruby on Rails application uses view_component versions between 4.0.0 and 4.12.0. Run: gem list view_component to check the installed version. If the version is within this range, the system is potentially vulnerable.

Impact Analysis

This vulnerability can cause authorization issues where a lower-privileged user sees privileged UI. It may also generate incorrect links using outdated Host headers, leak internal state between requests, or cause problems under concurrent rendering scenarios. Systems relying on view components for access control or request-specific data are most at risk.

Compliance Impact

This vulnerability could lead to unauthorized data exposure or privilege escalation, violating GDPR's data protection principles or HIPAA's access control requirements. If sensitive UI elements are rendered for unauthorized users, it may result in compliance violations. Organizations using this framework should update to version 4.12.0 to mitigate risks.

Mitigation Strategies

Upgrade view_component to version 4.12.0 or later immediately. Use the command: gem install view_component -v '>=4.12.0'. After upgrading, restart your Rails application to apply the changes.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54497. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart